Acquire Infrastructure: Virtual Private Server

Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure.

Acquiring a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers. Adversaries may also acquire infrastructure from VPS service providers that are known for renting VPSs with minimal registration information, allowing for more anonymous acquisitions of infrastructure.[1]

ID: T1583.003
Sub-technique of:  T1583
Platforms: PRE
Version: 1.1
Created: 01 October 2020
Last Modified: 17 October 2021

Procedure Examples

ID Name Description
G0001 Axiom

Axiom has used VPS hosting providers in targeting of intended victims.[2]

G0035 Dragonfly

Dragonfly has acquired VPS infrastructure for use in malicious campaigns.[3]

G0125 HAFNIUM

HAFNIUM has operated from leased virtual private servers (VPS) in the United States.[4]

G1004 LAPSUS$

LAPSUS$ has used VPS hosting providers for infrastructure.[5]

G0088 TEMP.Veles

TEMP.Veles has used Virtual Private Server (VPS) infrastructure.[6]

Mitigations

ID Mitigation Description
M1056 Pre-compromise

This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.

Detection

ID Data Source Data Component Detects
DS0035 Internet Scan Response Content

Once adversaries have provisioned a VPS (ex: for use as a command and control server), internet scans may reveal servers that adversaries have acquired. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.[7][8][9] Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.

Response Metadata

Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.

References